Enterprise Architecture: From Incite comes Insight...: How many fingers are required to count the number of clueless IT Security Professionals?

Tuesday, September 23, 2008

How many fingers are required to count the number of clueless IT Security Professionals?

Today, I figured I would analyze a most wonderful comment left by William Barr...

Mr. Barr stated:

The problem I have had in the past communicating with "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" is that none of them could give me examples of what they were talking about in code. Therefore, as resources, they were of limited use.

The more interesting question is whether the CISO of many enterprises are aware that their staff isn't providing any value in helping protect enterprise applications in which the vast majority of the IT budget is directed at. Enterprises spend more on developing their own inhouse applications than they do on Oracle, Microsoft, Sun and Cisco combined.

I think if more of the "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" had real-world experience actually implementing what they mandate, and provided demonstrable examples, that would go a long ways towards closing the gap.

The concepts of getting security professionals of encouraging them to attend OWASP and other free user groups where application security concerns become visible would be a great first start.

I had to teach the "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" how apache worked, how the web services stack worked, how tomcat worked, how Spring worked, what AOP was and how it worked, etc. ... in hindsight, it probably would have been easier for me to become a "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" and approved the framework myself.

Actually, that isn't a bad idea. Most so-called security professionals nowadays are really practicing network hygiene and while pontificating the need for holistic approaches to security that obviously includes software development, they obviously aren't practicing what they preach. Maybe the better answer is for IT security departments to harvest the best of the software development staff (you know the ones who are disgusted with working with Indian outsourcing because they actually care about the quality of code and not just dates) and turn them into holistic IT security professionals...